You can now find Cyber Kendra on Google News!

Software bug makes Godaddy to revoke 9,000 SSL CERT

GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug
A glitch on the Godaddy system makes Godaddy revoke 9,000 SSL certificates. According to the company, the bug was introduced on July 29, 2016, as part of a routine code change meant to improve the certificate issuance process. GoDaddy learned about the problem from Microsoft on January 6 and revoked the affected certificates on January 10. The certificates will be reissued in the upcoming period.

An affected website's HTTPS encryption will still work even if its GoDaddy-issued certificate is revoked. However, visitors to your website may see error messages or warnings in their browser until a new certificate is installed. GoDaddy, which is issuing these replacement certificates free of charge, apologized to customers for the hassle caused by the slip-up in its notification email.


In a blog post, GoDaddy said the bug was introduced six months ago and only two percent or fewer users were impacted by this till the date.
“Prior to the bug, the library used to query the website and check for the code was configured to return a failure if the HTTP status code was not 200 (success). A configuration change to the library caused it to return results even when the HTTP status code was not 200,” explained Wayne Thayer, VP and General Manager of Security Products at GoDaddy. 

“In a typical process, when a certificate authority, like GoDaddy, validates a domain name for an SSL certificate, they provide a random code to the customer and ask them to place it in a specific location on their website,” it said. “When their system searches and finds the code, the validation is complete. However, when the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found.

GoDaddy said it was not aware of any cases where this bug had been exploited to procure a certificate for an unauthorized domain. Both Google and Mozilla have been notified about the incident.

If you are a Godaddy user and are among the affected users then do check your mail inbox for the notification and procedure to fix it.

Post a Comment